• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Securing Web Services

 
Ranch Hand
Posts: 116
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am hoping others in this group can provide me some solid feedback concerning web services and securing them.

The task at hand is we have two application servers--WebLogic and WebSphere. We are looking for a uniform approach.

We have instituted a userNameToken approach within the Header, but all the examples we see are clear text examples. We would like to encrypt the password. This leads us to the next level of security and how it should be implemented. My initial design is for the handlers to encrypt and decrypt the password using a private key.

I would like to hear from others who have used encryption and how they tackled the process........

Thanks in advance
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Before you tackle encryption, have you looked at using a digest password instead of cleartext? It's just as easy to set up, although your Handler oin the server will need to work a bit differently.
 
Russell Ray
Ranch Hand
Posts: 116
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
okay, I looked at message digest briefly and thought this was good. Can you point me in the right direction? I need examples.......
 
Russell Ray
Ranch Hand
Posts: 116
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
duh........google it silly.......
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You may have figured it out by now, but in case you're using something like WSS4J, instead of using
<parameter name="passwordType" value="PasswordText"/>
you would use
<parameter name="passwordType" value="PasswordDigest"/>

while in your server-side PasswordCallback, you need to set the password that you're expecting for the user, instead of getting it. That's because a digested password can't be undigested into cleartext, but the expected password needs to be digested as well.
 
reply
    Bookmark Topic Watch Topic
  • New Topic